Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492421
E. Nahum, D. Yates, S. O'Malley, H. Orman, R. Schroeppel
Security and privacy are growing concerns in the Internet community, due to the Internet's rapid growth and the desire to conduct business over it safely. This desire has led to the advent of several proposals for security standards, such as secure IP, secure HTTP, and the Secure Socket Layer. All of these standards propose using cryptographic protocols such as DES and RSA. Thus, the need to use encryption protocols is increasing. Shared-memory multiprocessors make attractive server platforms, for example as secure World-Wide Web servers. These machines are becoming more common, as shown by recent vendor introductions of platforms such as SGI's Challenge, Sun's SPARCCenter, and DEC's AlphaServer. The spread of these machines is due both to their relative ease of programming and their good price/performance. This paper is an experimental performance study that examines how encryption protocol performance can be improved by using parallelism. We show linear speedup for several different Internet-based cryptographic protocol stack running on a symmetric shared-memory multiprocessor using two different approaches to parallelism.
{"title":"Parallelized network security protocols","authors":"E. Nahum, D. Yates, S. O'Malley, H. Orman, R. Schroeppel","doi":"10.1109/NDSS.1996.492421","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492421","url":null,"abstract":"Security and privacy are growing concerns in the Internet community, due to the Internet's rapid growth and the desire to conduct business over it safely. This desire has led to the advent of several proposals for security standards, such as secure IP, secure HTTP, and the Secure Socket Layer. All of these standards propose using cryptographic protocols such as DES and RSA. Thus, the need to use encryption protocols is increasing. Shared-memory multiprocessors make attractive server platforms, for example as secure World-Wide Web servers. These machines are becoming more common, as shown by recent vendor introductions of platforms such as SGI's Challenge, Sun's SPARCCenter, and DEC's AlphaServer. The spread of these machines is due both to their relative ease of programming and their good price/performance. This paper is an experimental performance study that examines how encryption protocol performance can be improved by using parallelism. We show linear speedup for several different Internet-based cryptographic protocol stack running on a symmetric shared-memory multiprocessor using two different approaches to parallelism.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129245307","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492418
H. Krawczyk
A secure and versatile key exchange protocol for key management over Internet is presented. SKEME constitutes a compact protocol that supports a variety of realistic scenarios and security models over Internet. It provides clear tradeoffs between security and performance as required by the different scenarios without incurring in unnecessary system complexity. The protocol supports key exchange based on public key, key distribution centers, or manual installation, and provides for fast and secure key refreshment. In addition, SKEME selectively provides perfect forward secrecy, allows for replaceability and negotiation of the underlying cryptographic primitives, and addresses privacy issues as anonymity and repudiatability.
{"title":"SKEME: a versatile secure key exchange mechanism for Internet","authors":"H. Krawczyk","doi":"10.1109/NDSS.1996.492418","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492418","url":null,"abstract":"A secure and versatile key exchange protocol for key management over Internet is presented. SKEME constitutes a compact protocol that supports a variety of realistic scenarios and security models over Internet. It provides clear tradeoffs between security and performance as required by the different scenarios without incurring in unnecessary system complexity. The protocol supports key exchange based on public key, key distribution centers, or manual installation, and provides for fast and secure key refreshment. In addition, SKEME selectively provides perfect forward secrecy, allows for replaceability and negotiation of the underlying cryptographic primitives, and addresses privacy issues as anonymity and repudiatability.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134378530","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492415
M. Greenwald, S. Singhal, Jonathan Stone, D. Cheriton
Corporate network firewalls are well-understood and are becoming commonplace. These firewalls establish a security perimeter that aims to block (or heavily restrict) both incoming and outgoing network communication. We argue that these firewalls are neither effective nor appropriate for academic or corporate research environments needing to maintain information security while still supporting the free exchange of ideas. In this paper we present the Stanford University Research Firewall (SURF), a network firewall design that is suitable for a research environment. While still protecting information and computing resources behind the firewall, this firewall is less restrictive of outward information flow than the traditional model; can be easily deployed; and can give internal users the illusion of unrestricted e-mail, anonymous FTP, and WWW connectivity to the greater Internet. Our experience demonstrates that an adequate firewall for a research environment can be constructed for minimal cost using off-the-shelf software and hardware components.
{"title":"Designing an academic firewall: policy, practice, and experience with SURF","authors":"M. Greenwald, S. Singhal, Jonathan Stone, D. Cheriton","doi":"10.1109/NDSS.1996.492415","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492415","url":null,"abstract":"Corporate network firewalls are well-understood and are becoming commonplace. These firewalls establish a security perimeter that aims to block (or heavily restrict) both incoming and outgoing network communication. We argue that these firewalls are neither effective nor appropriate for academic or corporate research environments needing to maintain information security while still supporting the free exchange of ideas. In this paper we present the Stanford University Research Firewall (SURF), a network firewall design that is suitable for a research environment. While still protecting information and computing resources behind the firewall, this firewall is less restrictive of outward information flow than the traditional model; can be easily deployed; and can give internal users the illusion of unrestricted e-mail, anonymous FTP, and WWW connectivity to the greater Internet. Our experience demonstrates that an adequate firewall for a research environment can be constructed for minimal cost using off-the-shelf software and hardware components.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131100003","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492417
Shaw-Cheng Chuang, M. Roe
This paper examines a few techniques for booting Asynchronous Transfer Mode (ATM) switches securely over an insecure network. Each of these techniques assume a different trust model. This work is being carried out in the context of the Fairisle ATM switch environment. In this environment we are envisaging an open multi-service network where ATM switches are booted with third party software, possibly using a third party booting service. Hence we are faced with an increased security threat, compared with a closed network environment, in ensuring that the switch has been booted with authorised and authenticated boot code. In this paper, we examines these threats and presents three schemes of countering the threats.
{"title":"A case study of secure ATM switch booting","authors":"Shaw-Cheng Chuang, M. Roe","doi":"10.1109/NDSS.1996.492417","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492417","url":null,"abstract":"This paper examines a few techniques for booting Asynchronous Transfer Mode (ATM) switches securely over an insecure network. Each of these techniques assume a different trust model. This work is being carried out in the context of the Fairisle ATM switch environment. In this environment we are envisaging an open multi-service network where ATM switches are booted with third party software, possibly using a third party booting service. Hence we are faced with an increased security threat, compared with a closed network environment, in ensuring that the switch has been booted with authorised and authenticated boot code. In this paper, we examines these threats and presents three schemes of countering the threats.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"170 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116528782","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492351
Kazuhiko Yamamoto
Internet text mail has been developing to satisfy various user requests, such as transporting non-textual objects and privacy enhancements. While MIME redefined the mail body format to support non-textual objects and multipart structure, PGP provides encryption and digital signature features for text mail. MIME however does not provide privacy services whereas non-textual objects cannot be exchanged with PGP. It is of recent interest to integrate PGP and MIME so that users can make use of these two services at the same time. This paper describes an integration of PGP and MIME. Our scheme embeds PGP objects into MIME and maintains backward compatibility with PGP. It is possible to encrypt, sign, and sign-then-encrypt non-textual objects, single-parts in a multi-part, an entire multipart, etc. We also explain our viewing and composing mechanisms that allow users to handle PGP/MIME messages intuitively without format restrictions.
{"title":"An integration of PGP and MIME","authors":"Kazuhiko Yamamoto","doi":"10.1109/NDSS.1996.492351","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492351","url":null,"abstract":"Internet text mail has been developing to satisfy various user requests, such as transporting non-textual objects and privacy enhancements. While MIME redefined the mail body format to support non-textual objects and multipart structure, PGP provides encryption and digital signature features for text mail. MIME however does not provide privacy services whereas non-textual objects cannot be exchanged with PGP. It is of recent interest to integrate PGP and MIME so that users can make use of these two services at the same time. This paper describes an integration of PGP and MIME. Our scheme embeds PGP objects into MIME and maintains backward compatibility with PGP. It is possible to encrypt, sign, and sign-then-encrypt non-textual objects, single-parts in a multi-part, an entire multipart, etc. We also explain our viewing and composing mechanisms that allow users to handle PGP/MIME messages intuitively without format restrictions.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"61 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126238046","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492414
T. Kiuchi, S. Kaihara
We have designed "C-HTTP" which provides secure HTTP communication mechanisms within a closed group of institutions on the Internet, where each member is protected by its own firewall. C-HTTP-based communications are made possible by the following three components: a client-side proxy, a sewer-side proxy and a C-HTTP name server. A client-side proxy and server-side proxy communicate with each other using a secure, encrypted protocol while communications between a user agent and client-side proxy or an origin sewer and sewer-side proxy are performed using current HTTP/1.0. In a C-HTTP-based network, instead of DNS, a C-HTTP-based secure, encrypted name and certification service is used. The aim of C-HTTP is to assure institutional level security and is different in scope from other secure HTTP protocols currently proposed which are oriented toward secure end-to-end HTTP communications in which security protection is dependent on each end-user.
{"title":"C-HTTP-the development of a secure, closed HTTP-based network on the Internet","authors":"T. Kiuchi, S. Kaihara","doi":"10.1109/NDSS.1996.492414","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492414","url":null,"abstract":"We have designed \"C-HTTP\" which provides secure HTTP communication mechanisms within a closed group of institutions on the Internet, where each member is protected by its own firewall. C-HTTP-based communications are made possible by the following three components: a client-side proxy, a sewer-side proxy and a C-HTTP name server. A client-side proxy and server-side proxy communicate with each other using a secure, encrypted protocol while communications between a user agent and client-side proxy or an origin sewer and sewer-side proxy are performed using current HTTP/1.0. In a C-HTTP-based network, instead of DNS, a C-HTTP-based secure, encrypted name and certification service is used. The aim of C-HTTP is to assure institutional level security and is different in scope from other secure HTTP protocols currently proposed which are oriented toward secure end-to-end HTTP communications in which security protection is dependent on each end-user.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115409001","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492419
C. Adams
In this paper we discuss progress in the development of application program interfaces (APIs) and mechanisms which provide a comprehensive set of security services to application developers. The APIs, though similar, are designed for distinct environments: the session API ("GSS") is aimed at the on-line real-time messaging environment; the store-and-forward API ("IDUP") is particularly suited to electronic-mail types of environments (where messages are secured independently of any an-line communication with intended recipients of those messages). Both APIs are designed to be easy to use, yet with appropriate public-key-based mechanisms (such as SPKM and PIM) include many necessary services for communication security, such as data origin authentication, data confidentiality, data integrity, and support for non-repudiation. A full key management and certification infrastructure can be provided by implementations of these APIs/mechanisms in a way which is completely transparent to the calling application thus ensuring maximum flexibility and scalability to future environments.
{"title":"IDUP and SPKM: developing public-key-based APIs and mechanisms for communication security services","authors":"C. Adams","doi":"10.1109/NDSS.1996.492419","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492419","url":null,"abstract":"In this paper we discuss progress in the development of application program interfaces (APIs) and mechanisms which provide a comprehensive set of security services to application developers. The APIs, though similar, are designed for distinct environments: the session API (\"GSS\") is aimed at the on-line real-time messaging environment; the store-and-forward API (\"IDUP\") is particularly suited to electronic-mail types of environments (where messages are secured independently of any an-line communication with intended recipients of those messages). Both APIs are designed to be easy to use, yet with appropriate public-key-based mechanisms (such as SPKM and PIM) include many necessary services for communication security, such as data origin authentication, data confidentiality, data integrity, and support for non-repudiation. A full key management and certification infrastructure can be provided by implementations of these APIs/mechanisms in a way which is completely transparent to the calling application thus ensuring maximum flexibility and scalability to future environments.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124751873","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492422
D. Wagner, S. Bellovin
Most implementations of IP security are deeply entwined in the source of the protocol stack. However, such source code is not readily available for MS-DOS systems. We implemented a version using the packet driver interface. Our module sits between the generic Ethernet driver and the hardware driver; it emulates each to the other. Most of the code is straightforward; in a few places, though, we were forced to compensate for inadequate interface definitions.
{"title":"A \"bump in the stack\" encryptor for MS-DOS systems","authors":"D. Wagner, S. Bellovin","doi":"10.1109/NDSS.1996.492422","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492422","url":null,"abstract":"Most implementations of IP security are deeply entwined in the source of the protocol stack. However, such source code is not readily available for MS-DOS systems. We implemented a version using the packet driver interface. Our module sits between the generic Ethernet driver and the hardware driver; it emulates each to the other. Most of the code is straightforward; in a few places, though, we were forced to compensate for inadequate interface definitions.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130227219","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492416
S. Murphy, M. R. Badger
The routing protocols used to disseminate routing information throughout the Internet are not protected from intruders or faulty router participants. This paper reports on work in progress to protect the OSPF routing protocol through the use of cryptography, specifically, digital signatures. The routing information is signed with an asymmetric cryptographic algorithm, allowing each router recipient to check the source and integrity of the information. This paper discusses the fundamental issues in security of routing protocols, reviews the basics of OSPF operation, describes the proposed design and discusses remaining vulnerabilities.
{"title":"Digital signature protection of the OSPF routing protocol","authors":"S. Murphy, M. R. Badger","doi":"10.1109/NDSS.1996.492416","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492416","url":null,"abstract":"The routing protocols used to disseminate routing information throughout the Internet are not protected from intruders or faulty router participants. This paper reports on work in progress to protect the OSPF routing protocol through the use of cryptography, specifically, digital signatures. The routing information is signed with an asymmetric cryptographic algorithm, allowing each router recipient to check the source and integrity of the information. This paper discusses the fundamental issues in security of routing protocols, reviews the basics of OSPF operation, describes the proposed design and discusses remaining vulnerabilities.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132326913","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 1996-02-22DOI: 10.1109/NDSS.1996.492352
D. Nessett
This paper addresses the problem of scalability in distributed object systems. It first describes the scaling problem and then uses several examples as discussion points for the participants.
{"title":"Scalability of security in distributed object systems","authors":"D. Nessett","doi":"10.1109/NDSS.1996.492352","DOIUrl":"https://doi.org/10.1109/NDSS.1996.492352","url":null,"abstract":"This paper addresses the problem of scalability in distributed object systems. It first describes the scaling problem and then uses several examples as discussion points for the participants.","PeriodicalId":104846,"journal":{"name":"Proceedings of Internet Society Symposium on Network and Distributed Systems Security","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1996-02-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133346288","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: